WS-Federation Configuration¶

WS-Federation is a protocol that enables identity federation across different security realms, allowing users to authenticate once and access multiple applications. This configuration is commonly used with Active Directory Federation Services (ADFS) and provides enterprise-grade security for organizations using Windows-based identity infrastructure.

Getting Started¶

Setting up WS-Federation authentication is straightforward and takes just a few configuration steps. Follow this quick setup process to enable secure access for your organization.

Navigate to Admin Console > Security > Single Sign-On.
Turn on the toggle Enable SSO.
In the Select a suitable Sign-On Protocol section, select WS-Federation.
In the Configure section, select your identity provider and configure the settings.

Identity Provider Configurations¶

Choose from the supported identity providers or use a custom WS-Federation configuration. Each provider offers specific features and integration capabilities to match your security requirements.

Windows Azure Configuration¶

Windows Azure Active Directory (now Microsoft Entra ID) provides comprehensive identity federation capabilities with seamless integration for Azure-based organizations. Configure these essential fields to establish secure communication between Azure and AI for Work.

Configuration Fields¶

Field	Description	Required
Azure AD Sign-On Endpoint URL	The URL that AI for Work must use for sign-on and sign-off/out requests using Azure. This is the WS-Federation passive endpoint. (e.g., https://login.microsoftonline.com/<tenant-id>/wsfed)	Yes
Azure AD Federation Metadata Document	The URL for the federation metadata document used for authentication with Azure Active Directory. This XML document contains configuration details and certificates. (e.g., https://login.microsoftonline.com/<tenant-id>/FederationMetadata/2007-06/FederationMetadata.xml)	Yes

Configuration Steps¶

Select Identity Provider:
- In the Configure section, select Windows Azure.
Configure Required Fields:
- Enter the Azure AD Sign-On Endpoint URL.
- Enter the Azure AD Federation Metadata Document URL.
Save Configuration:
- Click Save.
- The Identity Provider information successfully updated message is displayed at the top of the page.

Setting up Windows Azure for AI for Work SSO¶

To set up the AI for Work application in your Microsoft Entra ID (formerly Azure AD) environment using WS-Federation, you need to register a relying party trust and configure federation settings.

Prerequisites: You must have Microsoft Entra ID administrator privileges and have already selected Windows Azure as a WS-Federation provider in the AI for Work Admin Console.

Steps to configure Windows Azure:

Access Azure Portal:
- Log in to Azure Portal.
- Navigate to Microsoft Entra ID.
Locate Federation Endpoints:
- Go to App registrations > Endpoints.
- Note the following endpoints:
  - Federation metadata document URL
  - WS-Federation sign-on endpoint URL
Configure Enterprise Application:
- Navigate to Enterprise applications > New application.
- Select Create your own application.
- Choose Integrate any other application you don't find in the gallery.
- Enter "AI for Work" as the application name.
- Click Create.
Set Up Single Sign-On:
- In the application overview, go to Single sign-on.
- Select WS-Fed as the single sign-on method.
- Configure the following:
  - Identifier (Entity ID): Provided by AI for Work
  - Reply URL: Provided by AI for Work
  - Sign-on URL: Your AI for Work instance URL
Configure User Assignment:
- Go to Users and groups.
- Click Add user/group.
- Select users or groups that should have access to AI for Work.
- Click Assign.
Copy Configuration Details:
- From the endpoints page, copy the following to AI for Work:
  - WS-Federation Sign-On Endpoint → Azure AD Sign-On Endpoint URL
  - Federation Metadata Document URL → Azure AD Federation Metadata Document
Test Configuration:
- Verify that the metadata document URL is accessible.
- Ensure all users assigned to the application can authenticate.
Save the configuration in AI for Work.

Other (Generic WS-Federation Provider)¶

Use this option for any WS-Federation compliant identity provider not specifically listed above, including on-premises Active Directory Federation Services (ADFS) deployments. This flexible configuration supports custom enterprise identity solutions and third-party WS-Federation providers.

Configuration Fields¶

Field	Description	Required
AD Sign-On Endpoint URL	The URL that AI for Work must use for sign-on and sign-off/out requests using the WS-Federation identity provider. This is the WS-Federation passive endpoint. (e.g., `https://adfs.yourcompany.com/adfs/ls/`)	Yes
AD Federation Metadata Document URL	The URL for the federation metadata document used for authentication with Active Directory. This XML document contains configuration details and certificates. (e.g., `https://adfs.yourcompany.com/FederationMetadata/2007-06/FederationMetadata.xml`)	Yes

Configuration Steps¶

Select Identity Provider:
- In the Configure section, select Other.
Configure Required Fields:
- Enter the AD Sign-On Endpoint URL.
- Enter the AD Federation Metadata Document URL.
Save Configuration:
- Click Save.
- The Identity Provider information successfully updated message is displayed at the top of the page.

Setting up ADFS for AI for Work SSO¶

To set up the AI for Work application with Active Directory Federation Services (ADFS), you need to add a relying party trust and configure claim rules.

Prerequisites: You must have ADFS administrator access and have already selected Other as a WS-Federation provider in the AI for Work Admin Console.

Steps to configure ADFS:

Open ADFS Management Console:
- Log in to your ADFS server.
- Open ADFS Management from Server Manager or Administrative Tools.
Add Relying Party Trust:
- Right-click Relying Party Trusts and select Add Relying Party Trust.
- Click Start in the wizard.
- Select Enter data about the relying party manually.
- Click Next.
Configure Display Name:
- Enter "AI for Work" as the display name.
- Optionally add notes about the application.
- Click Next.
Select Profile:
- Choose AD FS profile.
- Click Next.
Configure Certificate:
- Skip the certificate configuration (unless you have specific requirements).
- Click Next.
Configure URLs:
- Check Enable support for the WS-Federation Passive protocol.
- Enter the Relying party WS-Federation Passive protocol URL (provided by AI for Work).
- Click Next.
Add Relying Party Trust Identifier:
- Enter the relying party trust identifier (provided by AI for Work).
- Click Add.
- Click Next.
Configure Multi-factor Authentication:
- Select your preferred MFA setting.
- Click Next.
Choose Issuance Authorization Rules:
- Select Permit all users to access this relying party.
- Click Next.
Review Settings:
- Review all configuration settings.
- Check Open the Edit Claim Rules dialog.
- Click Close.
Configure Claim Rules:
- In the Edit Claim Rules dialog, click Add Rule.
- Select Send LDAP Attributes as Claims.
- Configure the following mappings:
  - E-Mail-Addresses → E-Mail Address
  - Given-Name → Given Name
  - Surname → Surname
  - User-Principal-Name → UPN
- Click Finish.
Add Name ID Claim:
- Click Add Rule again.
- Select Transform an Incoming Claim.
- Configure:
  - Incoming claim type: E-Mail Address
  - Outgoing claim type: Name ID
  - Outgoing name ID format: Email
- Click Finish and OK.
Locate Federation Endpoints:
- In ADFS Management, go to Service > Endpoints.
- Note the following:
  - WS-Federation Passive Endpoint: /adfs/ls/
  - Federation Metadata URL: /FederationMetadata/2007-06/FederationMetadata.xml
Copy Configuration Details:
- Copy the following to AI for Work:
  - Full WS-Federation endpoint URL → AD Sign-On Endpoint URL
  - Full federation metadata URL → AD Federation Metadata Document URL
Test Metadata Accessibility:
- Open the federation metadata URL in a browser.
- Verify that the XML document loads correctly.
- Ensure it's accessible from the network where AI for Work is hosted.
Save the configuration in AI for Work.

Send Feedback